vicidial.org

Hi I cant download any recordings on vicidial. after I search for the lead and click the download recording on calls on it. Browser says connection refused by the server. I can only download via server command using SCP command. Any help?

Have you try to check the apache logs while doing this ?

No I havent. How to check it tho?

try

tail -f /var/log/apache2/error_log

Here's the Output:

[Thu Jan 17 21:28:06.249218 2019] [ssl:warn] [pid 1583] AH01909: vicibox.company.com:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 17 21:28:06.279823 2019] [ssl:warn] [pid 1583] AH01906: vicibox.company.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 17 21:28:06.279845 2019] [ssl:warn] [pid 1583] AH01909: vicibox.company.com:443:0 server certificate does NOT include an ID which matches the server name
[Thu Jan 17 21:28:08.806256 2019] [mpm_prefork:notice] [pid 1583] AH00163: Apache/2.4.35 (Linux/SUSE) OpenSSL/1.0.2j-fips configured -- resuming normal operations
[Thu Jan 17 21:28:08.806305 2019] [core:notice] [pid 1583] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -D SSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND'
[Fri Jan 18 00:00:02.407691 2019] [mpm_prefork:notice] [pid 1583] AH00171: Graceful restart requested, doing restart
[Fri Jan 18 00:00:02.432992 2019] [ssl:warn] [pid 1583] AH01906: vicibox.company.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 18 00:00:02.433024 2019] [ssl:warn] [pid 1583] AH01909: vicibox.company.com:443:0 server certificate does NOT include an ID which matches the server name
[Fri Jan 18 00:00:02.459966 2019] [mpm_prefork:notice] [pid 1583] AH00163: Apache/2.4.35 (Linux/SUSE) OpenSSL/1.0.2j-fips configured -- resuming normal operations
[Fri Jan 18 00:00:02.459990 2019] [core:notice] [pid 1583] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -D SSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND'

I think I got the problem. Our server Local is "192.168.1.X:8080" (I need to set it to other web port because someone is using the port 80 on our external IP.) and the recording link is only "192.168.1.x/recordings/..." when I add 8080, it works. So how to change this? Like how to change how the server create the link for recordings.

Try this:
chmod 755 /var/spool/asterisk

Leckbush wrote:I think I got the problem. Our server Local is "192.168.1.X:8080" (I need to set it to other web port because someone is using the port 80 on our external IP.) and the recording link is only "192.168.1.x/recordings/..." when I add 8080, it works. So how to change this? Like how to change how the server create the link for recordings.

if using ftp to push to an ftp server:

/etc/astguiclient.conf

VARHTTP_path => http://10.0.0.4

becomes:
VARHTTP_path => http://10.0.0.4:8080

and to fix the previous links

perl /usr/share/astguiclient/ADMIN_update_archive_url.pl --old-server-url http://10.0.0.4 --new-server-url http://10.0.0.4:8080

if not using ftp: it's also possible to change the admin->servers settings for this server:
Recording Web Link: EXTERNAL_IP
External Server IP: 10.0.0.4:8080

This could remove the need for any of the previous changes.

Yes I already done this via the admin setting. alternate ip.

We dont use FTP tho.

Cool. Now: Activate the ftp push. Get the recordings off your vicidial server and onto a storage server. Then if your Vicidial server dies you don't lose them AND when you rebuild your vicidial server you don't have to restore them. Completely separate servers. (FYI: A Vicidial rebuild can be done pretty quick, my record is 45 minutes ... but when you have to restore 1T of audio recordings that changes things a bit, lol)

And please tell me you have already activated the vicidial backup script to run nightly AND to push to an FTP server as well so your HD dying doesn't take ALL your data with it.

WIll look into that next week. Thats a great option, but I need to setup more drives into our File Server (Freenas) if Im gonna do that.

Get at least ONE full backup set (not recordings, just the result of a full backup from teh vicidial backup script) off that server now before somethin' bad happens. Better than nothing. Use WinSCP if you have to and copy it to your desktop.

backup script thing? Okay sure.


PS: We just have a breach on our dialer yesterday but managed to repel the hacker(whatever you call). He managed to get the login of one of the user and make it an admin and dial a high cost uk number. Its too late when we know because he depleted our balance on our VoIP provider. I wonder how he managed to make a level 1 user to user level 9 on the user which is user level 1? Do you think its a SQL injection?

You must whitelist lock down your server. If you have no idea how to do this, I recommend the instructions for Dynamic Good Guys (note that the instructions BEFORE you install DGG show how to do the whitelist, DGG is really just a simple web page to authorize more IPs after the lockdown, so you don't really need it). But you DO need to whitelist your system.

And change your cron password.

http://www.poundteam.com/downloads/scri ... ass.pl.txt

So Im gonna change the cron password via the file of ADMIN_update_cron_pass.pl using nano? Am I correct?

So if I change this password of cron, will it auto populate the cron secret on vicidial server settings along with other settings that have cron secret settings? or I also need to change it manual to the vicidial settings?

PS: The only thing I done right now since the incident yesterday was to turn off the port forward of the Vicibox web port (80) so it cant be access outside. And also the port for sshd.

That script is old, but has not failed us yet. It's not part of the system any more, but if you have someone bypassing security it's quite possible/likely that they are using cron to do so. In theory it changes everything that needs to be changed. But do it AFTER a shift and AFTER a full backup, just in case.

Don't just close 80 & 22. Close them ALL. That's what whitelisting is. Open to authorized IPs only. Including your carriers and your house. But NO ports should be open to the world.

Hi william, update on the breach. Our Client need the access back to their campaign as I spoken them today. But as you know I closed all the ports, and the thing you want me to do "whitelist lockdown" is not yet done. Can I edit the "/etc/apache2/listen.conf" to listen only IP that I will put which the LAN's IP and the client static IP?

What I will actually do is, allowed only the LAN IP's and their IP to the "/etc/apache2/listen.conf" when accessing the Vicidial Web. So I will port forward port80 on our router but the server will only listen to the IP's I put on "/etc/apache2/listen.conf" and refuse other connection right?

PS: If I put on the "/etc/apache2/listen.conf" this "192.168.1.0:80" it includes all IP under the 192.168.1.X right?

Don't "open a port to the world" so one person on one IP address can get to the server.

If someone needs access, open their IP ADDRESS so they can have access.

To add an authorized IP, we have published Dynamic Good Guys (simple to use after installation) OR you can add an authorized IP or IP Range in yast firewall's "custom rules" tab.

1) yast firewall
2) "custom rules"
3) "Add"
4) "source network" = the IP you are authorizing (or ip range, such as 71.122.99.0/24 which covers 256 IPs)
5) "Protocol" = TCP
6) "Add"

Then do it again except with "Protocol"=UDP instead of TCP.

That will add one IP or IP Range for full access. Permanently.


These changes must happen in the firewall, not in apache or any other app.

But even I add his IP to the firewall of Opensuse, They can't still access the server because server is behind a router before which has a firewall too. So I need to port forward PORT 80 which server listen and add his IP...

Our setup is like this:

Internet -> Router (Provided by ISP) -> 1eth Vici Server and LAN's

Recommended option:

Get a dedicated IP for the Vicidial server so it can NOT have a router. And of course: Whitelist lock down the server.

If not possible to get a dedicated IP:

Forward TCP ports 80, 443, 22 and UDP 5060, 10000-25000 (Range) through the router to the Vicidial server BUT be sure you have whitelisted the Vicidial server FIRST so only authorized IPs will be allowed in anyway.

These two options are equally safe, but Network Address Traversal (aka: NAT) resulting from the "Router to Private Network" packet routing may cause call quality or other issues until you have a dedicated IP for the Vicidial server.

If you don't experience any issues, however, it's not in any way necessary to change the setup (ie: If it ain't broke, don't fix it). If call quality is not affected by the shared IP/router: Just forward the ports and discuss the dedicated IP with your ISP for future planning (find out how long it may take and how much it may cost and any other requirements such as a different router). If they can do it fast with little extra cost, then you can wait until it becomes necessary without a lot of risk. But if it'll take a long time to do ... consider getting the ball rolling before you NEED it to avoid problems while waiting.

"Forward TCP ports 80, 443, 22 and UDP 5060, 10000-25000 (Range) through the router to the Vicidial server BUT be sure you have whitelisted the Vicidial server FIRST so only authorized IPs will be allowed in anyway."

On our router port 5060 5061 5062 5076 and 10000-40000 are forwarding on both TCP and UPD. Should I follow your forwarding instruction?

on DGG Instruction - I will not include or follow the "Allow Good Guys on Apache" right? Because Im not installing DGG just whitelisting...?

[edit - added quote tag so the quote is actually a Visibly Obvious Quote instead of being in quotation marks. - WilliamConley]

you don't need the other ports if you don't care about web. and 5061/2 are only necessary if you actually use them.

I recommend the allow apache good guys line because it requires a reboot to activate. if (some day) you decide you need it, NOT needing to reboot to activate may come in handy. Not a big deal, but interesting and entirely up to you.

Well I tried the instruction on DGG. But Im having a problem with it. Is it really required a 2 eth? Because server 2 (which Im whitelisiting) have only one NIC?

If you only have one network port, and it's for a local subnet that has a router on it, you just have to allow the local subnet in the iptables custom networks tab to communicate with all the agents on the local net.

For instance, if the local IP is "192.168.1.15" you would add "192.168.1.0/24" TCP and UDP entries to allow all IPs on that local net to communicate with the server. That example opens 192.168.1.1 to 192.168.1.256 with two entries (one for TCP and one for UDP). TCP is for web (HTTP/Apache web port 80 is TCP) and UDP is for audio (SIP port 5060 is UDP).

So if I add 192.168.1.0/255.255.255.0 or 192.168.1.0/24 in both UDP and TCP, will that allow this thing you said "If you only have one network port, and it's for a local subnet that has a router on it, you just have to allow the local subnet in the iptables custom networks tab to communicate with all the agents on the local net."

Leckbush wrote:So if I add 192.168.1.0/255.255.255.0 or 192.168.1.0/24 in both UDP and TCP, will that allow this thing you said "If you only have one network port, and it's for a local subnet that has a router on it, you just have to allow the local subnet in the iptables custom networks tab to communicate with all the agents on the local net."

assuming that's your local subnet, yepper.

Yes william. UPDATE: I managed to follow all the instruction on WhitelistLockdown. But I skip this "Add administrator access using custom hooks" and "Allow apache to add good guys" because its for installing DGG, yet im not installing it. Then after that I forward the server to the router and I test accessing the server through the proxy and even my phone data, and IT WORKS. The server is live outside(port forward outside) but denying access. However I try allowing my phone public ip on firewall external udp and tcp and I couldnt access. Is that normal that only static IP are allowed on access from outside when I whitelist authorized client?

i have no idea what you just asked. sorry. lol

Nevermind. Pardon my grammar haha! How about the thing I told you skipping "Add administrator access using custom hooks" and "Allow apache to add good guys" , its fine right?

Leckbush wrote:Nevermind. Pardon my grammar haha! How about the thing I told you skipping "Add administrator access using custom hooks" and "Allow apache to add good guys" , its fine right?

Neither are required. Although I like adding administrator access using that method. It'll never "accidentally" get deleted there AND you have the ability to put a # in front of a note above it so you can specify the owner of the IP. Handy.

Thats cool. Imma add it.

PS: Is it normal that, I see the logs that server drop connection to various of unknown IP of my knowledge? They're trying to access the web server but they got drop as seen from the log. That's normal?

Yep. That shows "It's working".

If a specific IP or IP Range becomes particularly annoying by appearing far too often, you could consider finding the sys admin email (using "whois") of those IP addresses and send a notice that someone is trying to hack your system. Include the logs for that IP.

Usually, however, it's fairly random and not very often. If you just got whitelist set up, it may take a few days to "wear off" that they can no longer hit the password locations they used to try daily.

Okay. Thank you william. One last thing, How Do I make the same thing on my server 1? Because my server 2 show realtime (DROP/ACCEPT) of connection on the root Command Console, However in Server 1 it doesn't. How to turn it on? Or is there a command to tail it realtime?

/var/logs shows these in text files for the various services being hit.

the console shows them if you are physically logged in (during certain scenarios) at that machine's keyboard instead of using putty.

But the logs are where you should be getting this information.

Can I monitored these in Console realtime?

using "tail" and "watch", sure. kinda a waste of time, though, honestly. Unless you're bored.

example for multiple file watching:

Code: Select all

watch -n 5 "cd /var/log; tail -10 firewall; tail -10 apache2/error_log;"

Thanks William for teaching me this. This is not my field in IT, this is my first time on network and system administration lol. Many thanks